format string exploit in OpenLDAP server (ITS#1813)

my name is david reign and i work for a small security & investments company
in australia. i have discovered a "format string" bug in the acl parsing
portion of the slapd server.
vendor status: have not contacted till now
details:
if ( a->acl_attrs != NULL ) {
int i, first = 1;
to++;
fprintf( stderr, " attrs=" );
for ( i = 0; a->acl_attrs[i] != NULL; i++ ) {
if ( ! first ) {
fprintf( stderr, "," );
}
Just Here--> fprintf( stderr, a->acl_attrs[i] );
first = 0;
}
fprintf( stderr, "\n" );
}
no need to tell you that format string bug in remote server equals remote
root compromise.
since it writes a->acl_attrs[i] which is one variable in the structure,
fragmented exploitation is needed, with a little part of the string being
written at a time. no working exploit code is known of.
i also may have found numerous other format bugs like print_error(buf) but
can't verify this yet.
i will be drafting a formal advisory and since this is a HUGE issue because
OpenLDAP has a wide user base the public needs to be notified.
be in contact soon,
- davidr
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.